Feeds

Airline security critic raided by Feds

Don't even joke about it

Providing a secure and efficient Helpdesk

Indiana University graduate student Christopher Soghoian pointed out a flaw in airline security by posting a fake boarding pass generator online, and was rewarded with a visit from FBI agents with a search warrant.

The FBI raided his residence on Saturday, only days after the student posted a PHP script enabling anyone to print a boarding pass for Northwest Airlines.

It's unlikely that a fake pass would enable someone to board a flight they hadn't paid for, but it would suffice to get one into the "secure" area of an airport. Soghoian's example passes would fail at the gate when read electronically. Still, they would likely not be challenged until that point.

The trick involved is not new; indeed, it was publicised by Slate magazine in February 2005. Creating a script enabling any fool to generate a pass was Soghoian's contribution.

The Feds apparently considered this to be going a step further than providing information that's already available, and interpreted it as encouraging bad behaviour, even though Soghoian was clear about the fact that his example passes would not enable one to fly for free. They only demonstrated how easily people on the no-fly lists could find themselves wandering about an airport, if, for example, they were too lazy to get an ID and credit card issued under a different name.

Which brings us to the observation that, yes, airport security is crap, just as Soghoian's pass generator and the Slate article illustrate, and no, it really doesn't matter if people can print their own boarding passes, and even edit them.

In the five years since 9/11, the TSA has failed to catch a single terrorist, and it isn't because they're printing boarding passes. It's because the entire idea of setting up checkpoints at widely-publicised locations and waiting for terrorists to turn up and get caught is idiotic. Those who might be recognised visually aren't flying commercially.

The rest are simply declining to participate as well, or are travelling with authentic, government-issued passports and working credit cards obtained fraudulently - which is hardly more challenging than editing a boarding pass, but pays far better dividends, like actually being permitted to travel.

We note that US Representative Edward Markey (Democrat, Massachusetts) overreacted wildly to news of Soghoian's pass generator and called for his immediate arrest.

"The Bush Administration must immediately act to investigate, apprehend those responsible, shut down the website, and warn airlines and aviation security officials to be on the look-out for fraudsters or terrorists trying to use fake boarding passes in an attempt to cheat their way through security and onto a plane," Markey exclaimed.

He later retracted that bit of political theatre: "Subsequently, I learned that the person responsible...intended to provide a public service by warning that this long-standing loophole could be easily exploited." Markey concluded that: "The Department of Homeland Security should put [Soghoian] to work showing public officials how easily our security can be compromised."

Markey is a member of the House Homeland Security Committee. With the midterm elections approaching, he's naturally eager to show the world that Democrats are just as security-savvy as Republicans claim to be. But he gets it wrong both times. He overstates the risk in the first place, and in the second place overestimates Soghoian's "contribution" to airline security in pointing out a minor flaw that's been known for years.

But so long as security remains a political football, this is the sort of rubbish we will have to listen to (The Register does commend Markey for not waiting until after the election to issue the retraction, as many others in his position would have done).

The homemade boarding pass is no big deal. The risk is minor, and it's mitigated somewhat by the fact that the passes issued by the airlines at check in, where ID is required, look different. This is by design, to give the TSA an opportunity to exercise a bit more care when screening passengers in possession of boarding passes obtained otherwise.

And yes, it would not be terribly difficult to make a facsimile of an airline-issued pass to escape extra scrutiny, but we have to point out that the real threat is undesirable travellers with false identities, proffering authentic travel documents. That's the right way to beat the system, and it's easy. No terrorist worth his salt is going to waste time Photoshopping boarding passes.

In the movies, the scoundrels always have a guy who does counterfeit passports. He's always eccentric, and strangely heliophobic for someone who does close work, but he's invariably a world-class artist. The counterfeits cost thousands of dollars and take several days.

In the real world, with a fake birth certificate, you can get a genuine passport in 24 hours for less than $200. Of course, movies wouldn't be as much fun if we kept that in mind. But when we're doing security, it's wise to remain clear on the differences between Hollywood and reality.

Meanwhile, we hope that Soghoian isn't destined to spend several years in prison for pointing out a security flaw that, ultimately, is irrelevant. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
In the next four weeks, 100 people will decide the future of the web
While America tucks into Thanksgiving turkey, the world will be taking over the net
Microsoft EU warns: If you have ties to the US, Feds can get your data
European corps can't afford to get complacent while American Big Biz battles Uncle Sam
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.